Jump to content


ikkhatri

Deploying Applications Using Security Groups Via SCCM

Recommended Posts

Hello,

 

This is my first post as I just registered with W-N.

This question may have been asked before however I wasn't able to find it so I would like to apologise if I'm asking it again.

 

I have a lab setup and I have successfully deployed the OS's to various VM's in my network.

 

What I would like to do is add a security group to a computer object and have SCCM deploy it to the specified computer.

 

1. I have created an OU called " Subscriber Applications ". And in this OU I have created 2 Security Groups:

 

Security Group 1: Application - Google Chrome

Security Group 2: Application- Mozilla Firefox

 

2. In CM 2012 Console ( -> Software Library -> Overview -> Application Management -> Applications ) Under Applications I have created the 2 Applications using it's MSI installation file, then Distributed Content to DP. (Named it as: Mozilla Firefox and Google Chrome)

 

3. Under Assets and Compliance-> Overview-> Device Collections I created a new folder called Applications.

4. In that folder I created a Device collection called Google Chrome.

5. Limiting Collection was set to All Systems.

6. In Query Rule properties I named is as Google Chrome again. Then clicked Edit Query Statement.

7. In Criterion Properties, Type was set as Simple Value. Attribute Class: System Resource, Attribute: System Group Name; Value: I chose the security group.

 

Query Statement:

select * from SMS_R_System where

SMS_R_System.SystemGroupName = Domain\Application - Google Chrome.

 

Once it's created I right click and deploy it. It installs Google Chrome to all computers. instead of only on the computer that has Google chrome membership.

 

Can someone please guide me on this. I know I'm doing this all wrong.

 

Once again...Sorry for the double post.

 

And many many thanks for your assistance.

 

 

 

 

Share this post


Link to post
Share on other sites

do you actually see just the computers in the group? have you also setup AD group discovery in SCCM for these groups?

Share this post


Link to post
Share on other sites

I see the computers in the AD groups and Yes I have enabled AD group discovery in SCCM. And clicked yes to run the Discovery as soon as possible when I first enabled it. However I have again ran the discovery again.



Also: Under Software Library -> Overview -> Application Management -> Applications I right click on the Google Chrome application and click deploy it does deploy the application but to all the computers.



Is there a new collection that I may need to create and put the computers in there?



What are the steps to configure SCCM in a way where all I have to do is add the application security group membership to a computer in Active Directory and SCCM deploys it to that computer only automatically?



Example PC Names: testpc1 , testpc2 and testpc3.



In the properties of testpc1 I click member of and add the group membership for Chrome and SCCM will deploy the application to testpc1 only.



Thank you so much for helping me out. (Still new with SCCM)

Share this post


Link to post
Share on other sites

Which collection are you deploying your software to? It needs to be the "Google Chrome" collection or "Mozilla Firefox"

Share this post


Link to post
Share on other sites

Thank You all for all your help. I was successfully able to achieve this using the below query:

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "Domain\\Application - Mozilla Firefox"

 

How I did this was created an OU in AD and Named it Subscriber Applications and in this OU I created application security hroups. then:

1. Created the 2 applications (Chrome and Firefox) and Distributed Content.

2. Under Device Collections I created a new folder and named it Applications.

3. In the Applications folder I created 2 Device Collections named: Application - Google Chrome and Application - Mozilla Firefox.

4. For the Limiting Collection I used " All Desktop And Server Clients "

5. On The next screen, clicked add rule and chose the query rule option

6. Name: The Application name exactly has I have it named in my AD security group (Example: Application - Google Chrome)

7.Clicked Edit Query statement then clicked Show Query Language

8. Clear everything in the box and paste the above query.

(make sure to change the last bit to "YOURDOMAINNAME\\YouApplicationSecurityGroupName")

9. Next it all the way.

10. Go to Software Library then right click the application and click deploy.

11. For the Collection on the left pane drop down, change to device collections and locate the application collection we just created. ( you will receive a popup stating that the collection doesn't not contain any members (that's ok), just hit ok.

12.Next it all the way.

 

Now in AD open up computer properties --> member of --> and add the application group in it.

Mine took about 12 minutes and it deployed it successfully to the PC which was in the Google Chrome group.

 

Hope this helps someone.

 

 

 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Next thing I would like to do is uninstall the application. Same process but this time once I remove the application security group from the computer membership I would like SCCM to uninstall the application automatically.

 

I have no clue on how to do this.

Any help would be great. The only thing I could find was a Query:

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_R_System.NetbiosName not in (Select SMS_R_System.NetBiosName from SMS_R_System where SMS_R_System.SystemGroupName = "<Domain>\\<Security Group>") and SMS_R_System.Client = 1 and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "<NAME OF APPLICATION>"

 

Can someone please help with some instructions.

 

Thanks.

Share this post


Link to post
Share on other sites

I Don't know how to do automatically. I've solved it this way;

 

I have created two security groups. One called "Firefox - Install" and another "Firefox - Uninstall" Created two programs in SCCM, one that installs, and one that uninstalls. I've deployed the uninstall program to my "Firefox - Uninstall" SCCM collection. Works great, but to do it automatically would be nice. Maybe someone has a solution.

 

/kman

Share this post


Link to post
Share on other sites

Thanks kman.

I'll try that.

However to query it when creating the collection...what is to be used?

 

The bottom query?

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_R_System.NetbiosName not in (Select SMS_R_System.NetBiosName from SMS_R_System where SMS_R_System.SystemGroupName = "<Domain>\\<Security Group>") and SMS_R_System.Client = 1 and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "<NAME OF APPLICATION>"

 

Since in the query theres already a security group specified. ..do i still need to put this: and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "<NAME OF APPLICATION>"

Share this post


Link to post
Share on other sites

I'm using this query for the collection to uninstall a program.

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "MYDOMAIN_NAME\\Firefox - Uninstall"

Share this post


Link to post
Share on other sites

Ok so I have tested this and working pretty well for me.

SCCM to uninstall an application when you remove the computer from the Application security group.

 

I will be using the security group: “ Application – Google Chrome “ as an example.

 

In Device collections as I previously mentioned I created a folder for applications and created the collections in that folder to deploy applications.

  1. I have created another folder in Device Collections called Applications – Uninstall.
  2. In there I have created a collection called: Application – Google Chrome UN
  3. Limiting Collection: All Desktop And Server Clients
  4. Clicked Add Rule, Query Rule, and named it as Application – Google Chrome UN
  5. Resource Class: System Resources then clicked Edit Query Statement then Show Query Language.
  6. Clear the box and entered:

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_R_System.NetbiosName not in (Select SMS_R_System.NetBiosName from SMS_R_System where SMS_R_System.SystemGroupName = "YourDOMAIN\\YOUR APPLICATION SECURITY GROUP") and SMS_R_System.Client = 1 and SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Google Chrome"

 

7. Then ok.

8. Clicked on add Rule and this time clicked Exclude Collection and chose the Installation Collection I created in my earlier post.

9. Next it all the way

10. Now we need to deploy the collection we just created.

11. Right clicked then clicked Deploy à application

12. Software – Chose the google chrome application

13. Click Next until you get to Deployment Settings and Change Install to Uninstall.

14. Next it all the way.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...